CVE-2023-31133

Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute...

MAL-2025-150080 Malicious code in @mipta1/iyug (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a08cf248796e5310ec3c2669b74f2a8e5bae9fe14f9a49bed8822b7f98f12c99 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in sexual_goat-appteadev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29c0b585b9fd26311047a831cdcd81aa690bd0124d75e80256c822a517e3cb61 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-87736 Malicious code in laila-semur73-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 521449b0842d83cab3375531d22ab0e871aa5e0f6f1f425d9e9003bbbcfdb9b8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in erick-kembang92-miaww (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41b1fdf6df91abe3de51f966e36a500972e6e994a5eee1256a080ec4d4ab8f53 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2024-56143

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset...

EUVD-2024-55037

Strapi Allows Unauthorized Access to Private Fields via parms.lookup...

Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Summary It's possible to access any private fields by filtering through the lookup parameters Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. PoC 1. Create a strapi app. 2. Create a...

GHSA-495J-H493-42Q2 Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Summary It's possible to access any private fields by filtering through the lookup parameters Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. PoC 1. Create a strapi app. 2. Create a...

Authorization Bypass Through User-Controlled Key

Overview @strapi/core is a Core of Strapi Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the lookup operator in the document service due to improper sanitization of query operator for private fields . An attacker can retrieve sensitive...

CVE-2024-56143

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset...

CVE-2024-56143 Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset...

CVE-2024-56143 Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset...

CVE-2024-56143 Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset...

CVE-2024-56143

Strapi 5.0.0–5.5.1 is vulnerable due to improper sanitization of the document service lookup operator for private fields, enabling an attacker to access sensitive data (e.g., admin passwords, reset tokens). The issue is fixed in Strapi 5.5.2. Affected software, root cause, and impact are corrobor...

Strapi 安全漏洞

Strapi is an open source content management system CMS from the French strapi community. A security vulnerability exists in Strapi versions 5.0.0 through prior to 5.5.2, which stems from a lookup operation in the document service that does not properly clean up the query parameters for private...

EUVD-2021-0898

Malware in sbrugna...

EUVD-2023-2021

Malicious code in bioql PyPI...

EUVD-2023-1619

Malicious code in bioql PyPI...

CVE-2021-32624

Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control...